If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Web Application Vulnerabilities, acunetik high level threat

I just finish web based audit using Acunetik. From the result, I found that a lot of vulnerable service affected that particular server. Before I finish the report, I have to prove them that this website is really vulnerable. We just plan to put a text file inside their server to prove that somebody else who has malicious intention is able to have write access into their server.
From all these vulnerabilities, which one is the easiest to penetrate? Now Iím still in process to learn how to do cross site scripting and others exploit for web based application. When I search in link below, there is no specific / details how to do it. They only describe it generally.

1. PHP version vulnerable
Severity High
Affects PHP
DetailsCurrent version is PHP/4.0.6
TypeConfiguration
Description
This alert has been generated using only banner information. It may be a false positive.

Multiple vulnerabilities have been reported in PHP, which can be exploited to gain escalated privileges, bypass certain security restrictions, gain knowledge of sensitive information, or compromise a vulnerable system.

2. Apache version vulnerable
Severity High
Affects Web Server
DetailsNo details are available.
TypeValidation
DescriptionThis version of Apache is vulnerable to HTML injection (including malicious Javascript code) through "Expect" header. Until not it was not classed as security vulnerability as an attacker has no way to influence the Expect header a victim will send to a target site. However, according to Amit Klein's paper: "Forging HTTP request headers with Flash" there is a working cross site scripting (XSS) attack against Apache 1.3.34, 2.0.57 and 2.2.1 (as long as the client browser is IE or Firefox, and it supports Flash 6/7+).

3. PHP version vulnerable
Severity High
Affects PHP
DetailsCurrent version is PHP/4.0.6
TypeConfiguration
Description
This alert has been generated using only banner information. It may be a false positive.

Stefan Esser reported some vulnerabilities in PHP, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a vulnerable system.The vulnerabilities are caused due to boundary errors within the "htmlentities()" and "htmlspecialchars()" functions. If a PHP application uses these functions to process user-supplied input, this can be exploited to cause a heap-based buffer overflow by passing specially crafted data to the affected application. Successful exploitation may allow execution of arbitrary code, but requires that the UTF-8 character set is selected. For a detailed explanation of the vulnerability read the referenced article.
Vendor has released PHP 5.2.0 which fixes this issue.

4. PHP version vulnerable
Severity High
Affects PHP
DetailsCurrent version is PHP/4.0.6
TypeConfiguration
Description
This alert has been generated using only banner information. It may be a false positive.

Stefan Esser had discovered a weakness within the depths of the implementation of hashtables in the Zend Engine. This vulnerability affects a large number of PHP applications. It creates large new holes in many popular PHP applications. Additonally many old holes that were disclosed in the past were only fixed by using the unset() statement. Many of these holes are still open if the already existing exploits are changed by adding the correct numerical keys to survive the unset(). For a detailed explanation of the vulnerability read the referenced article.

5. PHP version vulnerable
Severity High
Affects PHP
DetailsCurrent version is PHP/4.0.6
TypeConfiguration
Description
This alert has been generated using only banner information. It may be a false positive.

Multiple vulnerabilities have been reported in PHP, which can be exploited by malicious people to conduct cross-site scripting attacks, bypass certain security restrictions, and potentially compromise a vulnerable system.